Hi, the current net-analyzer/rrdtool-1.4.7-r1 ebuild added an init script for rrdcached (thanks to https://bugs.gentoo.org/show_bug.cgi?id=327447). Note that running rrdcached not as root is not support (at least not by the provided scripts). So the configuration in "/etc/conf.d/rrdcached" is misleading! Please remove the USER/GROUP line. Also check if MODE really works - I don't think that rrdcached checks environment variables at all. But rrdcached supports a group for the socket. From "man rrdcached": -s group_name|gid Set the group permissions of a UNIX domain socket. The option accepts either a numeric group id or group name. That group will then have both read and write permissions (the socket will have file permissions 0750) for the socket and, therefore, is able to send commands to the daemon. This may be useful in cases where you cannot easily run all RRD processes with the same user privileges (e.g. graph generating CGI scripts that typically run in the permission context of the web server). This is really useful and should be default: Please add a group "rrdcached" and change RRCACHE_ARGS="-l unix:/var/run/rrdcached.sock -j /var/lib/rrdcached/journal/ -F -b /var/lib/rrdcached/db/ -B" into RRCACHE_ARGS="-s rrdcached -l unix:/var/run/rrdcached.sock -j /var/lib/rrdcached/journal/ -F -b /var/lib/rrdcached/db/ -B" Please note the argument order - that's important :) Reproducible: Always
It is perfectly possible to run rrdcached with another user, just add the --user option to start_stop_daemon_args in the init script: start_stop_daemon_args="--quiet --user rrdcached" And that's the way it should be done, since apparently running it as root is a security hazard, see http://oss.oetiker.ch/rrdtool/doc/rrdcached.en.html#ISanity_checking So: - the ebuild should create the rrdcached user & group - the /var/lib/rrdcached/ folder ownership should be changed to rrdcached:rrdcached - the init script should be changed to run with the rrdcached user & group Since we are at it the service should use /run/rrdcached.sock and not /var/run/rrdcached.sock
Hi, Developers, It is my first time to try to write an init script. I am not a shell script guy. The implementation may not so well. What I have done are: 1. add a new user:group rrdcached:rrdcached 2. change the owner of folder /var/lib/rrdcached{,/db,/journal} to rrdcached:rrdcached 3. write a new rrdcached init script that will run as user rrdcached:rrdcached 4. write a rrdcached confd file, based on rrdcached man page Please help to review the files, Thanks. -- --- /usr/portage/net-analyzer/rrdtool/rrdtool-1.4.8-r1.ebuild 2014-05-20 14:01:00.000000000 +0800 +++ rrdtool-1.4.8-r1.ebuild 2014-05-27 15:31:05.288464877 +0800 @@ -7,7 +7,7 @@ DISTUTILS_OPTIONAL="true" GENTOO_DEPEND_ON_PERL="no" PYTHON_COMPAT=( python2_7 ) -inherit eutils distutils-r1 flag-o-matic multilib perl-module autotools +inherit eutils distutils-r1 flag-o-matic multilib perl-module autotools user DESCRIPTION="A system to store and display time-series data" HOMEPAGE="http://oss.oetiker.ch/rrdtool/" @@ -55,6 +55,11 @@ distutils-r1_python_install } +pkg_setup() { + enewgroup rrdcached + enewuser rrdcached -1 -1 /var/lib/${PN} rrdcached +} + src_prepare() { epatch "${FILESDIR}"/${PN}-1.4.7-configure.ac.patch @@ -137,8 +142,10 @@ find "${ED}"usr -name '*.la' -exec rm -f {} + - keepdir /var/lib/rrdcached/journal/ - keepdir /var/lib/rrdcached/db/ + for x in /var/lib/rrdcached{,/db,/journal}; do + keepdir "${x}" + fowners rrdcached:rrdcached "${x}" + done newconfd "${FILESDIR}"/rrdcached.confd rrdcached newinitd "${FILESDIR}"/rrdcached.init rrdcached
Created attachment 377698 [details] rrdtool ebuild file with new user rrdcached:rrdcached
Created attachment 377700 [details] files/rrdcached.init
Created attachment 377702 [details] files/rrdcached.confd
Comment on attachment 377698 [details] rrdtool ebuild file with new user rrdcached:rrdcached --- rrdtool-1.4.8-r1.ebuild 2014-05-20 08:01:00.000000000 +0200 +++ - 2014-05-27 14:49:37.409579781 +0200 @@ -7,7 +7,7 @@ DISTUTILS_OPTIONAL="true" GENTOO_DEPEND_ON_PERL="no" PYTHON_COMPAT=( python2_7 ) -inherit eutils distutils-r1 flag-o-matic multilib perl-module autotools +inherit eutils distutils-r1 flag-o-matic multilib perl-module autotools user DESCRIPTION="A system to store and display time-series data" HOMEPAGE="http://oss.oetiker.ch/rrdtool/" @@ -55,6 +55,11 @@ distutils-r1_python_install } +pkg_setup() { + enewgroup rrdcached + enewuser rrdcached -1 -1 /var/lib/${PN} rrdcached +} + src_prepare() { epatch "${FILESDIR}"/${PN}-1.4.7-configure.ac.patch @@ -137,8 +142,10 @@ find "${ED}"usr -name '*.la' -exec rm -f {} + - keepdir /var/lib/rrdcached/journal/ - keepdir /var/lib/rrdcached/db/ + for x in /var/lib/rrdcached{,/db,/journal}; do + keepdir "${x}" + fowners rrdcached:rrdcached "${x}" + done newconfd "${FILESDIR}"/rrdcached.confd rrdcached newinitd "${FILESDIR}"/rrdcached.init rrdcached
(In reply to Jeroen Roovers from comment #6) > Comment on attachment 377698 [details] > rrdtool ebuild file with new user rrdcached:rrdcached > > --- rrdtool-1.4.8-r1.ebuild 2014-05-20 08:01:00.000000000 +0200 > +++ - 2014-05-27 14:49:37.409579781 +0200 > +pkg_setup() { > + enewgroup rrdcached > + enewuser rrdcached -1 -1 /var/lib/${PN} rrdcached > +} You would need the group/user at install time, not compile time, so this should move to pkg_postinst(). > @@ -137,8 +142,10 @@ > find "${ED}"usr -name '*.la' -exec rm -f {} + > - keepdir /var/lib/rrdcached/journal/ > - keepdir /var/lib/rrdcached/db/ > + for x in /var/lib/rrdcached{,/db,/journal}; do > + keepdir "${x}" > + fowners rrdcached:rrdcached "${x}" > + done Likewise, fowners can be run in pkg_postinst() with better results.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a57c5e54c6b898a2075ebf22a622e7f9a04fc8ce commit a57c5e54c6b898a2075ebf22a622e7f9a04fc8ce Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2022-04-05 19:31:30 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-04-05 19:31:44 +0000 net-analyzer/rrdtool: add 1.8.0 Closes: https://bugs.gentoo.org/439652 Closes: https://bugs.gentoo.org/450674 Closes: https://bugs.gentoo.org/836576 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> net-analyzer/rrdtool/Manifest | 1 + net-analyzer/rrdtool/files/rrdcached.confd-r1 | 13 ++ net-analyzer/rrdtool/files/rrdcached.init-r1 | 23 +++ net-analyzer/rrdtool/metadata.xml | 1 + net-analyzer/rrdtool/rrdtool-1.8.0.ebuild | 246 ++++++++++++++++++++++++++ 5 files changed, 284 insertions(+)
